Web Security and Privacy Technologies

Boilerplate

This document is an issue paper about the challenges and issues faced by users with cognitive disabilities when trying to use web security and privacy technologies. This is part of a series of issue papers written by the Cognitive and Learning Disabilities Accessibility Task Force (COGA). It is a joint Task Force of the Accessible Platform Architectures (APA) Working Group and the Web Content Accessibility Guidelines Working Group (WCAG WG). This work will be used as a base document for other work, including a road-map for improving accessibility for people with cognitive disabilities.

Description of the technologies

Most user interfaces are designed to help users complete tasks. However, web security and privacy technologies intentionally introduce barriers to task completion. They require users to perceive more and to do more to complete tasks. Three examples of these technologies are passwords, CAPTCHA, and 2-Factor Authentication.

Challenges of security and privacy for people with cognitive disabilities

Web security and privacy technologies often block people with cognitive and/or physical disabilities who may not be able to:

The scope of the problem is vast because, for examples, people with disabilities:

Memory

Many people with cognitive disabilities:

Some people with cognitive disabilities may not:

Executive function

Many people with cognitive disabilities may not:

Some people with cognitive disabilities may not be able to:

Attention-related limitations

People with cognitive disabilities may not focus due to:

Example: shows 2 italicized words with lines through them; field with label 'Type the two words:';  3 buttons; and text 'reCAPTCHA', 'stop spam', 'read books'.

Impaired language-related functions

Some people with cognitive disabilities:

Impaired literacy-related functions

Some people with cognitive disabilities:

Perception-processing limitations

Many people with cognitive disabilities may not:

Some people with cognitive disabilities may not:

Reduced knowledge

Some people with cognitive disabilities may not:

Proposed solutions

W3C recommended guidelines and techniques

Ease-of-use ideas

Alternative web security and privacy technologies

CAPTCHA alternatives

  • Inaccessibility of CAPTCHA: Alternatives to Visual Turing Tests on the Web [[turingtest]]
  • Determine the time difference between when a web form is loaded and when it is submitted. If it is submitted quickly, which may be indicative of a spambot, discard the submission. Otherwise, keep it.
  • CAPTCHA-less Security, Karl Groves, April, 2012.
  • A web-form honeypot that is:
    • an input field
    • hidden using CSS
    • labeled with a field name atypical of forms
    • clearly identified with instructions, for AT users, and for others whom have disabled CSS, not to fill it in
    • checked to determine if something was entered
    • used to reject a submission if something was entered

Note: The web-form honeypot will not work for popular websites because spammers will likely expend the effort to defeat it.